Overview of Azure AD Identity Governance using Microsoft Graph
Azure Active Directory (Azure AD) Identity Governance allows you to balance your organization's need for security and employee productivity with the right processes and visibility. It provides you with capabilities to ensure that the right principals have the right access to the right resources and at the right time.
The principals (or identities) whose access you can govern include users, groups, and applications (or service principals). The users can be your employees, business partners, vendors, or contractors. The resources to which you can govern access include groups, access packages, and privileged roles.
You manage Azure AD Identity Governance capabilities programmatically by using the following identity governance APIs in Microsoft Graph.
- Access reviews
- Entitlement management
- Lifecycle Workflows
- Privileged identity management
For more information about Azure AD Identity Governance, see What is Azure AD Identity Governance?.
Manage the lifecycle of users in your organization
Organizations have processes that are carried out during at least three stages of an employee's life cycle - when they join the organization, when they move within the organization, and when they leave the organization. Such processes may include provisioning and deprovisioning access and resources where required.
The lifecycle workflows APIs in Microsoft Graph allow you to automate the basic lifecycle processes for users in your organization. These lifecycle processes enable the organization and its users to be efficient, secure, or compliant.
Automate user access to resources
Employees in organizations may need access to various resources to perform their jobs. Partners and vendors may also need access to your resources. In complex organizations, it may be difficult for users to identify what access they require, how to request for access, and who should grant them access.
The entitlement management APIs in Microsoft Graph allow you to automate access request workflows, access assignments, reviews, and expiration.
Attest to the access that principals have to resources
When a principal has access to resources in your organization, it's important to verify periodically that the principal still requires access. Use the access reviews API to programmatically verify the access.
For example, suppose your organization automates employee access to a specific business-sensitive resource. For guests, you've granted them access to the resource through a group. It's important to periodically confirm that the guests still have a legitimate need for access to the group and by extension, the resource.
Access reviews are a form of auditing the effectiveness of the organization's internal controls. For more information, see the overview of access reviews.
Manage access to privileged roles
Every organization has employees that require privileged administrative roles to perform their duties. In Azure AD, you can grant such privileged assignments through Azure AD built-in roles. Because of the kind of permissions that these roles allow, it's important to mitigate the risks of excessive, unnecessary, or misused privileged roles.
The privileged identity management APIs in Microsoft Graph allow you to programmatically manage the lifecycle of privileged Azure AD roles in your tenant.
This feature helps organizations to align their identities with the three guiding principles of a Zero Trust architecture:
- Verify explicitly
- Use least privilege
- Assume breach
To find out more about Zero Trust and other ways to align your organization to the guiding principles, see the Zero Trust Guidance Center.